Schedule A

Data Processing Profile

Radware's Bot Manager Service

This Data Processing Profile is supplemental to a Data Processing Agreement (“DPA”) between Radware Ltd./Inc. (“Radware” or “Processor”) and the entity that has executed or accepted the DPA (“Customer” or “Controller”). This Data Processing Profile describes the processing of personal data (or personal identifiable information) by Radware in connection with Radware’s Bot Manager Service (the “Service”). Capitalized terms used in this Data Processing Profile but not defined herein shall have the meanings ascribed to them in the DPA.

Service Overview

Supplier’s Bot Manager Service provides protection to web applications, mobile apps and APIs from automated attacks using bots. The Service makes precise decisions to distinguish between activity of human visitors, activity of legitimate automated software systems (i.e., good bots) and activity of malicious automated software systems (i.e., bad bots) so that mitigation controls can be put in place to limit automated and programmatic web and mobile application malicious access. The Service uses several proprietary techniques, a combination of deterministic and machine learning models, to distinguish and detect automated software systems, including but not limited to intent based deep user behavioral analysis that gather signals across user requests to detect and block malicious bots.

The Service provides the flexibility to configure various bot mitigation options based on the bot generation, bot category, specific page URL and geography. The Service also provides granular analytics and reporting functionality for customers through the Bot Manager Service Portal.

The Service may be deployed either through a customer on-prem integrated agent, virtual appliance or a DNS diversion using cloud service bundle. 

Purpose of the Processing

Processing is performed to protect the assets of the Customer that are covered by the Service (the “Protected Assets”) from automated threats caused by malicious actors; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).

Processing of Data in Transit

The Service processes traffic (legitimate and malicious) targeted at the Protected Assets through a Radware Bot Manger POP (Radware has about 21 POPs in Google Cloud Platform (GCP) to receive traffic from Radware’s customers). This is setup in such a way that traffic from the customer’s integration point will reach the nearest POP. From the POP, the traffic is sent for more detailed analysis to the Bot Manager backend through a secure channel.

The Service collects HTTP headers and browser information (through JavaScript) to fingerprint the source of the end user device and leverage this information for accurate bot detection process. The Personal Data within such collected information is mentioned under the ‘Categories of Personal Data’ topic.

Data in transit at network level & application level is encrypted using TLS 1.2 (AES 128).

Processing of Data at Rest

The Service does not store any information that can directly identify a natural person.

The Service only stores information on malicious actor activity (including malicious source IP addresses and malicious headers), alongside aggregated non-identifiable statistics about legitimate users.

Data at rest includes encryption at hardware / storage level using AES 256 / AES 128.

Radware’s cloud partner (Google Cloud Platform (GCP)) uses advanced encryption mechanism – Cloud Key Management System Customer-Managed Encryption Keys (CMEK) on Google Kubernetes Engine (GKE) using Cloud Key Management System.

Items of Data at Rest stored by the Service

Category

Data Description

Retention Period

Personal Data

Categories of personal data:

  1. Data collected during customer onboarding process which includes, first name, last name, business email ID and business phone number (optional);
  2. IP Address collected from the HTTP Header received from an HTTP request of an end user;
  3. End User ID, a non-mandatory parameter collected only if the Customer wishes to share this information with Radware. The User ID value is hashed in the API call;
  4. Server log file:  applicable only in cases where the Customer requests a bad bot analyzer report. The bad bot analyzer is a free service offered by Radware that can be leveraged by the Customer either during a sales or presales phase to understand the volume and impact of bots to its business by scanning the data available in the log. The Customer will be able to send its server logs through a secure encrypted channel.

Additionally, with respect to ‘privacy by design’, Radware offers a feature in NginX connector / agent to selectively collect/discard the headers if the Customer believes that the information can potentially be a Personally Identifiable Information.

Bot Signature logs – 45 days

  1. Data collected from our connector (HTTP headers) – 60 days
  2. Bot Manager Analytics data – 60 days
  3. Bot IP Feed data (if applicable) – 14 days

For Bad bot Analyzer request: The server log retention period is 7 days.

The maximum data retention period is 60 days.

Data Deletion: data is deleted at the end of the applicable retention period set forth above.

Radware Bot Manager provides facility for the Customer to request to delete the data of selective or collective data subjects directly from the Radware Bot Manager Portal.

Account Information

Data related to the account protected by the service.

Subscription:

  • Account name
  • Subscription period
  • Service plan
  • Contact information
  • Portal users details

Stored as long as the Customer account is active. Deleted once Customer stops using the service.

The above data is stored in virtual private cloud (VPC) environments based in the United States or Europe (GCP) depending on the Customer’s choice. Radware has stringent access control for the data set of the Customer’s application. This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider), privileged users (for example, security analysis team member in case of any issues reported/proactive analysis) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked bot attacks or view status via the online Service Portal.

Data Subjects

Individuals about whom data is provided to Radware through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, which may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.

Duration of the Processing

The duration of the processing is determined by the Principal Agreement (as defined in the DPA) or until the deletion of all of Customer’s Personal Data in accordance with the DPA and the “Data Retention and Deletion” details set forth in the table above.

Processing Locations

Approved Sub- Processor/Affiliate (Company Name)

Company
address 

Approved
scope of work

Approved Service Locations

Service Location
address 

Google

Mountain View, California

PoP

us-east1

Moncks Corner, South Carolina, USA

Google

Mountain View, California

PoP

us-east4

Ashburn, Northern Virginia, USA

Google

Mountain View, California

PoP

us-west1

The Dalles, Oregon, USA

Google

Mountain View, California

PoP

us-west2

Los Angeles, California, USA

Google

Mountain View, California

PoP

us-west3

Salt Lake City, Utah, USA

Google

Mountain View, California

PoP

us-west4

Las Vegas, Nevada, USA

Google

Mountain View, California

PoP

us-central1

Council Bluffs, Iowa, USA

Google

Mountain View, California

PoP

europe-west4

Eemshaven, Netherlands

Google

Mountain View, California

PoP

europe-west3

Frankfurt, Germany

Google

Mountain View, California

PoP

europe-west2

London, England, UK

Google

Mountain View, California

PoP

europe-west6

Zürich, Switzerland

Google

Mountain View, California

PoP

europe-north1

Hamina, Finland

Google

Mountain View, California

PoP

asia-east1

Changhua County, Taiwan

Google

Mountain View, California

PoP

asia-southeast1

Jurong West, Singapore

Google

Mountain View, California

PoP

asia-south1

Mumbai, India

Google

Mountain View, California

PoP

australia-southeast1

Sydney, Australia

Google

Mountain View, California

PoP

asia-east2

Hong Kong

Google

Mountain View, California

PoP

asia-northeast1

Tokyo, Japan

Google

Mountain View, California

PoP

asia-northeast2

Osaka, Japan

Google

Mountain View, California

PoP

asia-southeast2

Jakarta, Indonesia

Google

Mountain View, California

PoP

northamerica-northeast1

Montréal, Québec, Canada

Google

Mountain View, California

Backend engine

europe-west3

Frankfurt, Germany

 

Industry Standard Certificates

Radware’s BOT Manager Service complies with the following standards for cybersecurity and privacy:

·         ISO 27001           Information Security Management Systems
·         ISO 27032           Security Techniques -- Guidelines for Cybersecurity
·         ISO 27017            Information Security for Cloud Services
·         ISO 27018            Information Security Protection of Personally identifiable information (PII) in public clouds
·         HIPAA                  Health Insurance Portability and Accountability Act
·         PCI-DSS               Payment Card Industry Data Security Standard – Service Provider Schedule D

Compliance with these standards is audited annually by third party auditors.

Customers may find Radware’s latest cybersecurity and privacy certifications and attestations in https://www.radware.com/newsroom/certificationsindustry/.   

An annual SOC2 type II report is being prepared for Radware’s Cloud Services.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center